But this was already possible, hitching your “I have control over my own device” wagon to “My device allows me to x, y, or z” that are only possible due to history, backwards compatibility, or because not enough people actually do it to be a problem is a battle already lost.

Winning the war requires legislation that demands devices and software be introspectable by all users, not just ones that can set up cheeky mitm proxies.

But they're not cheeky MITM proxies, it's the way HTTP traffic inspection is done. Even if the right to inspect your traffic was legislated, it would need to be compatible with existing MITM tooling.

Why am I suddenly getting the "just go get some legislation" treatment? I could just as well give you a lesson about how trying to prevent corporate MITM middleboxes with technological means is a lost cause and you should just work on getting some legislation to prevent it.

The difference, to me, is that eliminating the ability for someone who isn't the operator of a website to present a valid cert for that website is an improvement for security and reliability.

> it would need to be compatible with existing MITM tooling

In my ideal world it wouldn't be, it would be done on the endpoint before/after the traffic is encrypted/decrypted. There would be no need to mitm anything, the OS would happily show you the content and be legally required to provide facilities for the user/software to do so.

Regulating away mitm proxies doesn't make sense because we don't need to do it, you can prevent middleboxes with nothing other than tech by breaking the ability to mitm connections.

> Regulating away mitm proxies doesn't make sense because we don't need to do it, you can prevent middleboxes with nothing other than tech by breaking the ability to mitm connections.

You can, because you're talking about middleboxes. But you can't really prevent the owner of the device from MITM-ing traffic, you can just make their life needlessly harder. Or you can attempt to make them not be the owner of the device, so that they are not fully in control, which is unacceptable.

I agree middleboxes shouldn't exist, but the only reason they are able to is because you're not the owner of the device you're communicating from. That's a problem you can solve with legislation.

> In my ideal world it wouldn't be, it would be done on the endpoint before/after the traffic is encrypted/decrypted. There would be no need to mitm anything, the OS would happily show you the content and be legally required to provide facilities for the user/software to do so.

This sounds technically unfeasible. HTTP can be done by any number of userland libraries. How is the OS to ensure that all such libraries are compliant?

On top of that, you're talking about the creation of a new kind of protocol for this kind of thing here. There's an insane amount of tooling currently using HTTP proxies for this which cannot be easily replaced.